Hacker Strikes Back At Government Linked Cyberespionage Group ZooPark

Earlier in May, Kaspersky Labs published research on the so-called ZooPark cyberespionage group that conducted a hacking campaign geared at Android devices in the Middle East. Am anonymous hacker has now apparently struck back by stealing a cache of ZooPark’s own data and providing it to Motherboard, Vice’s online magazine and video channel dedicated to technology. In addition to offering a glimpse of a government hacking campaign, the turnaround represents a rare instance of an APT (or advanced persistent threat) itself being targeted.

In an online chat, the hacker told Motherboard that they believed the intel was on Iranian APTs, but Kaspersky said it could not currently link ZooPark to a known actor.

Motherboard described the hacker’s stolen data as “noteworthy”, and described it as including text messages, emails and GPS locations, in addition to audio recordings seemingly captured by the malware of people speaking. The hacker broke into a specific ZooPark server that was listed in the research by Kaspersky, and said they had also found a second related server hosted in Tehran, Iran.

Motherboard cross checked the stolen material with the details in Kaspersky’s recent report to corroborate the hacker’s claim it was taken from a ZooPark server. Motherboard detected a significant concentration of infected devices in Egypt along with others in Iran. Kaspersky’s report noted victims in Egypt, Jordan, Morocco, Lebanon and Iran. The data given to Motherboard names the model of different phones involved, and all appear to be Android phones, as was also clear from Kaspersky. The earliest timestamp of an infected device was found to be 2016; the same year that Kaspersky said this particular version of ZooPark’s malware had been created. Many of the potential targets were also corroborated by the cross checking, including members of the United Nations Relief and Works Agency.

Alexey Firsh, security expert at Kaspersky Lab and author of the report on ZooPark, said the third version of ZooPark’s malware was based on Sypmaster Pro, which any ordinary consumer can purchase, although ZooPark’s version allows for enhanced features, including letting an attacker record phone calls, monitor a phone’s Internet browser, and steal photographs. This version of the malware was delivered through watering hole attacks i.e. once the target goes to a malicious website, the malware is delivered. Firsh said the malware came from two Arabic language sites: alnaharegyptdotcom and alhayatnewsdotcom, and added that this particular strain of the malware was used to target “employers of international organizations.”